validate_password plugin serves to test
passwords and improve security. The plugin exposes a set of system
variables that enable you to define password policy.
This plugin implements two capabilities:
In statements that assign a password supplied as a cleartext value, the plugin checks the password against the current password policy and rejects it if it is weak (the statement returns an
ER_NOT_VALID_PASSWORDerror). This affects the
SET PASSWORDstatements. Passwords given as arguments to the
OLD_PASSWORD()functions are checked as well.
VALIDATE_PASSWORD_STRENGTH()SQL function assesses the strength of potential passwords. The function takes a password argument and returns an integer from 0 (weak) to 100 (strong).
For example, the cleartext password in the following statement is checked. Under the default password policy, which requires passwords to be at least 8 characters long, the password is weak and the statement produces an error:
mysql> ALTER USER USER() IDENTIFIED BY 'abc'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements
Passwords specified as hashed values are not checked because the original password value is not available:
mysql> ALTER USER 'jeffrey'@'localhost' IDENTIFIED WITH mysql_native_password AS '*0D3CED9BEC10A777AEC23CCC353A8C08A633045E'; Query OK, 0 rows affected (0.01 sec)
System variables having names of the form
represent the parameters that control password policy. To
configure password checking, modify these variables; see
Section 126.96.36.199, “Password Validation Plugin Options and Variables”.
validate_password plugin is not
system variables are not available, passwords in statements are
not checked, and the
function always returns 0. For example, without the plugin
installed, accounts can be assigned passwords shorter than 8
Assuming that the
validate_password plugin is
installed, it implements three levels of password checking:
STRONG. The default is
MEDIUM; to change this, modify the value of
policies implement increasingly strict password tests. The
following descriptions refer to default parameter values, which
can be modified by changing the appropriate system variables.
LOWpolicy tests password length only. Passwords must be at least 8 characters long.
MEDIUMpolicy adds the conditions that passwords must contain at least 1 numeric character, 1 lowercase character, 1 uppercase character, and 1 special (nonalphanumeric) character.
STRONGpolicy adds the condition that password substrings of length 4 or longer must not match words in the dictionary file, if one has been specified.
In addition, as of MySQL 5.7.15, the
validate_password plugin supports the
capability of rejecting passwords that match the user name part of
the effective user account for the current session, either forward
or in reverse. To enable control over this capability, the plugin
system variable. By default, this variable is disabled.